Upload
dangdung
View
218
Download
4
Embed Size (px)
Citation preview
Metasploit vSploit Modules
1
Marcus J. Carey
David “bannedit” Rude
Will Vandevanter
Outline
• Objective of vSploit Modules
• Metasploit Framework architecture
• What are Metasploit modules?
• vSploit modules
• vSploit and Intrusion Kill Chains• vSploit and Intrusion Kill Chains
• Writing Metasploit Modules
• Live Demo
2
• Metasploit Project founded in 2003
• Open Source penetration testing platform based with over
1 million downloads in the past year
• Acquired by Rapid7 in 2009
• HD Moore joined Rapid7 as Chief Security Office and Chief
Metasploit overview
• HD Moore joined Rapid7 as Chief Security Office and Chief
Architect of Metasploit
• Rapid7 remains committed to the Community
• Metasploit Framework is the foundation for the
commercial editions Metasploit Express and Metasploit
Pro
3
LIBRARIES INTERFACES
Rex
MSF Core
Console
CLI
TOOLS
Metasploit Framework Architecture
MODULES
MSF Core
MSF Base
Payload Encoder NOP Auxiliary
PLUGINS RPC
Exploit
GUI &Armitage
4
LIBRARIES INTERFACES
Rex
MSF Core
Console
CLI
TOOLS
Metasploit Framework Architecture
MODULES
MSF Core
MSF Base
Payload Encoder NOP Auxiliary
PLUGINS RPC
Exploit
GUI &Armitage
5
What are Metasploit Modules?
• More than just exploits
• Payloads – the “arbitrary code” you hear about in
advisories
• Encoders – add entropy to payloads, remove bad
characters
• NOP – create sophisticated nopsleds
• Auxiliary – Like an exploit module but without a payload
– Underappreciated
6
Which would you pick for a training drill?
Live Ammo? Or Paint Balls?
7
= Live Exploits = vSploit Modules
Introducing: vSploit Modules
• New spin on auxiliary modules
– Focus on attack response emulation
– Not intended for exploitation
– Continues with Metasploit roots as security testing and validation
framework
– Allows organizations to understand their current security – Allows organizations to understand their current security
investment
• Stand-alone compatibility
– No exploitation used
– Possible to remove exploit modules if necessary in some
environments
8
• Evaluate devices on their own merit
• Minimal traffic evasion
• Trigger alerts on purpose
• Ensure proper network device placement
• Test and train security staff
vSploit: Purpose
• Test and train security staff
• Test security architecture without exploits
9
• Many network based security offering monitor network
traffic for behavior
• Many devices are signature based
• Need to be placed on network properly to see interesting
traffic
vSploit: Interesting Traffic
• Good test cases are hard to emulate
10
• IDS
• IPS
• DLP
• Firewalls
• Network Intelligence Devices
vSploit: Network Traffic Device
• Network Intelligence Devices
11
• ESIM
• Netflow collectors
• Other Log correlation devices (ie. Splunk)
• Network-based vulnerability analysis devices
Security Monitoring
12
• Signature-based
• Looks for known suspicious traffic
• SQL injections
• Attack responses
• Alert on suspicious behavior
IDS/IPS
• Alert on suspicious behavior
13
• Similar to IDS
• Concerned with data leakage
• Personally Identifiable Information (PII)
– Social security numbers
– Payment information
Data Loss Prevention (Network Based)
• Protected Health Information (PHI)
– Medical records
• PCI-related data
– Credit card numbers
14
• Collects system logs
• Significant capital investment
• Provides correlation
• Provides reporting
• Key to most security operations efforts
Enterprise Security Information Management (ESIM)
• Key to most security operations efforts
15
Network
vSploit: Interesting Traffic
Client Sends Request for Interesting Traffic and Designated Port
Network Traffic
AnalysisDevice
Client
MSF #1 Sends Signature Matching String
MSF
vSploit: Simulating Malicious DNS Queries
MSF
DNS Server
Metasploit sends out DNS Query to Internal DNS, i.e.. Domain Controller
foo.rufoo.cnfoo.kp
ESIM
Logs
Intrusion Kill Chains
Intrusion Kill Chains
19
Phase Detect Deny Disrupt Degrade Deceive Destroy
Reconnaissance Web Analytics Firewall ACL
Weaponization NIDS NIPS
Delivery Vigilant user Proxy Filter In-line AV Queuing
Exploitation HIDS Patch DEP
Kill Chain – Course of Action Matrix
Installation HIDS *chroot* jail AV
C2 NIDS Firewall ACL NIPS Tarpit DNS redirect
Actions on Objectives
Audit log Quality of Service
Honeypot
20
Source: Hutchins, Cloppert, Amin – Lockheed Martin
Phase Detect Deny Disrupt Degrade Deceive Destroy
Reconnaissance Web Analytics Firewall ACL
Weaponization NIDS NIPS
Delivery Vigilant user Proxy Filter In-line AV Queuing
Exploitation HIDS Patch DEP
vSploit Testing Detection Capabilities
Installation HIDS *chroot* jail AV
C2 NIDS Firewall ACL NIPS Tarpit DNS redirect
Actions on Objectives
Audit log Quality of Service
Honeypot
21
Source: Hutchins, Cloppert, Amin – Lockheed Martin
Phase Detect Deny Disrupt Degrade Deceive Destroy
Reconnaissance Web Analytics Firewall ACL
Weaponization NIDS NIPS
Delivery Vigilant user Proxy Filter In-line AV Queuing
Exploitation HIDS Patch DEP
vSploit Testing Detection Capabilities
Installation HIDS *chroot* jail AV
C2 NIDS Firewall ACL NIPS Tarpit DNS redirect
Actions on Objectives
Audit log Quality of Service
Honeypot
22
Source: Hutchins, Cloppert, Amin – Lockheed MartinUnable to perform tests in red.
vSploit Modules Screen Shots
vSploit: Web PII Module - Configuration
vSploit Web PII Module - In Action
vSploit: HTTP File Download Server
vSploit Web Beaconing - Configuration
vSploit: Web Beaconing – In Action
vSploit: DNS Beaconing – Wireshark Analysis
vSploit: Vulnerable Headers
30
vSploit: Vulnerable Headers PCAP
31
Writing Metasploit Modules
• http://pine.fm/LearnToProgram/
• The Little Book of Ruby
• Humble Little Book of Ruby
• Metasploit Repository Documentation
http://r-7.co/iNmOBt
Where to Learn Ruby
http://r-7.co/iNmOBt
33
Auxiliary Module Basics
34
Auxiliary Module: Code can be simple
35
Using IRB in Metasploit
36
Exploit Written in Python
37
Same Exploit in Metasploit
38
Where to put it…
• Official modules live in msf3/modules/– Subdirectories organized by module type (exploit/,
auxiliary/, post/, … )
• ~/.msf3/modules/ has same structure, loaded at
startup if it exists
• ~/.msf3/modules/auxiliary/vsploit is a the • ~/.msf3/modules/auxiliary/vsploit is a the
location for vSploit modules
39
Quick demos
• vSploit documentation in Rapid7 Community
– https://community.rapid7.com
vSploit Documentation
Questions?
@iFail
Marcus J. Carey
@msfbannedit
David “bannedit” Rude
@willis__ <- two underscores
Will Vandevanter